login(1) User Commands login(1)NAMElogin - sign on to the system
SYNOPSISlogin [-p] [-d device] [-R repository] [-s service]
[-t terminal] [-u identity] [-U ruser]
[-h hostname [terminal] | -r hostname]
[name [environ]...]
DESCRIPTION
The login command is used at the beginning of each terminal session to
identify oneself to the system. login is invoked by the system when a
connection is first established, after the previous user has terminated
the login shell by issuing the exit command.
Login cannot be invoked as a command, except by the superuser.
If login is invoked as a command, it must replace the initial command
interpreter. To invoke login in this fashion, type:
exec login
from the initial shell. The C shell and Korn shell have their own
builtins of login. See ksh(1) and csh(1) for descriptions of login
builtins and usage.
login asks for your user name, if it is not supplied as an argument,
and your password, if appropriate. Where possible, echoing is turned
off while you type your password, so it will not appear on the written
record of the session.
If you make any mistake in the login procedure, the message:
Login incorrect
is printed and a new login prompt will appear. If you make five incor‐
rect login attempts, all five may be logged in /var/adm/loginlog, if it
exists. The TTY line will be dropped.
If password aging is turned on and the password has aged, (see
passwd(1) for more information), the user is forced to change the pass‐
word. In this case the /etc/nsswitch.conf file is consulted to deter‐
mine password repositories (see nsswitch.conf(4)). The password update
configurations supported are limited to the following five cases.
o passwd: files
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files nisplus)
passwd_compat: nisplus
Failure to comply with the configurations will prevent the user from
logging onto the system because passwd(1) will fail. If you do not com‐
plete the login successfully within a certain period of time, it is
likely that you will be silently disconnected.
After a successful login, accounting files are updated. Device owner,
group, and permissions are set according to the contents of the
/etc/logindevperm file, and the time you last logged in is printed (see
logindevperm(4)).
The user-ID, group-ID, supplementary group list, and working directory
are initialized, and the command interpreter (usually ksh) is started.
The basic environment is initialized to:
HOME=your-login-directory
LOGNAME=your-login-name
PATH=/usr/bin:
SHELL=last-field-of-passwd-entry
MAIL=/var/mail/
TZ=timezone-specification
For Bourne shell and Korn shell logins, the shell executes /etc/profile
and $HOME/.profile, if it exists. For C shell logins, the shell exe‐
cutes /etc/.login, $HOME/.cshrc, and $HOME/.login. The default
/etc/profile and /etc/.login files check quotas (see quota(1M)), print
/etc/motd, and check for mail. None of the messages are printed if the
file $HOME/.hushlogin exists. The name of the command interpreter is
set to − (dash), followed by the last component of the interpreter's
path name, for example, −sh.
If the login-shell field in the password file (see passwd(4)) is empty,
then the default command interpreter, /usr/bin/sh, is used. If this
field is * (asterisk), then the named directory becomes the root direc‐
tory. At that point, login is re-executed at the new level, which must
have its own root structure.
The environment may be expanded or modified by supplying additional
arguments to login, either at execution time or when login requests
your login name. The arguments may take either the form xxx or xxx=yyy.
Arguments without an = (equal sign) are placed in the environment as:
Ln=xxx
where n is a number starting at 0 and is incremented each time a new
variable name is required. Variables containing an = (equal sign) are
placed in the environment without modification. If they already appear
in the environment, then they replace the older values.
There are two exceptions: The variables PATH and SHELL cannot be
changed. This prevents people logged into restricted shell environments
from spawning secondary shells that are not restricted. login under‐
stands simple single-character quoting conventions. Typing a \ (back‐
slash) in front of a character quotes it and allows the inclusion of
such characters as spaces and tabs.
Alternatively, you can pass the current environment by supplying the -p
flag to login. This flag indicates that all currently defined environ‐
ment variables should be passed, if possible, to the new environment.
This option does not bypass any environment variable restrictions men‐
tioned above. Environment variables specified on the login line take
precedence, if a variable is passed by both methods.
To enable remote logins by root, edit the /etc/default/login file by
inserting a # (pound sign) before the CONSOLE=/dev/console entry. See
FILES.
SECURITY
For accounts in name services which support automatic account locking,
the account may be configured to be automatically locked (see
user_attr(4) and policy.conf(4)) if successive failed login attempts
equals or exceeds RETRIES. Currently, only the files repository (see
passwd(4) and shadow(4)) supports automatic account locking. See also
pam_unix_auth(5).
The login command uses pam(3PAM) for authentication, account manage‐
ment, session management, and password management. The PAM configura‐
tion policy, listed through /etc/pam.conf, specifies the modules to be
used for login. Here is a partial pam.conf file with entries for the
login command using the UNIX authentication, account management, and
session management modules:
login auth required pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account required pam_unix_account.so.1
login session required pam_unix_session.so.1
The Password Management stack looks like the following:
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
If there are no entries for the service, then the entries for the other
service will be used. If multiple authentication modules are listed,
then the user may be prompted for multiple passwords.
When login is invoked through rlogind or telnetd, the service name used
by PAM is rlogin or telnet, respectively.
OPTIONS
The following options are supported:
-d device login accepts a device option, device.
device is taken to be the path name of the
TTY port login is to operate on. The use of
the device option can be expected to improve
login performance, since login will not need
to call ttyname(3C). The -d option is avail‐
able only to users whose UID and effective
UID are root. Any other attempt to use -d
will cause login to quietly exit.
-h hostname [terminal ] Used by in.telnetd(1M) to pass information
about the remote host and terminal type.
Terminal type as a second argument to the -h
option should not start with a hyphen (-).
-p Used to pass environment variables to the
login shell.
-r hostname Used by in.rlogind(1M) to pass information
about the remote host.
-R repository Used to specify the PAM repository that
should be used to tell PAM about the "iden‐
tity" (see option -u below). If no "iden‐
tity" information is passed, the repository
is not used.
-s service Indicates the PAM service name that should
be used. Normally, this argument is not nec‐
essary and is used only for specifying
alternative PAM service names. For example:
"ktelnet" for the Kerberized telnet process.
-u identity Specifies the "identity" string associated
with the user who is being authenticated.
This will usually not be the same as that
user's Unix login name. For Kerberized login
sessions, this will be the Kerberos princi‐
pal name associated with the user.
-U ruser Indicates the name of the person attempting
to login on the remote side of the rlogin
connection. When in.rlogind(1M) is operating
in Kerberized mode, that daemon will process
the terminal and remote user name informa‐
tion prior to invoking login, so the "ruser"
data is indicated using this command line
parameter. Normally (non-Kerberos authenti‐
cated rlogin), the login daemon will read
the remote user information from the client.
EXIT STATUS
The following exit values are returned:
0 Successful operation.
non-zero Error.
FILES
$HOME/.cshrc initial commands for each csh
$HOME/.hushlogin suppresses login messages
$HOME/.login user's login commands for csh
$HOME/.profile user's login commands for sh and ksh
$HOME/.rhosts private list of trusted hostname/username combi‐
nations
/etc/.login system-wide csh login commands
/etc/issue issue or project identification
/etc/logindevperm login-based device permissions
/etc/motd message-of-the-day
/etc/nologin message displayed to users attempting to login
during machine shutdown
/etc/passwd password file
/etc/profile system-wide sh and ksh login commands
/etc/shadow list of users' encrypted passwords
/usr/bin/sh user's default command interpreter
/var/adm/lastlog time of last login
/var/adm/loginlog record of failed login attempts
/var/adm/utmpx accounting
/var/adm/wtmpx accounting
/var/mail/your-name mailbox for user your-name
/etc/default/login Default value can be set for the following flags
in /etc/default/login. Default values are speci‐
fied as comments in the /etc/default/login file,
for example, TIMEZONE=EST5EDT.
TIMEZONE Sets the TZ environment
variable of the shell
(see environ(5)).
HZ Sets the HZ environment
variable of the shell.
ULIMIT Sets the file size limit
for the login. Units are
disk blocks. Default is
zero (no limit).
CONSOLE If set, root can login
on that device only.
This will not prevent
execution of remote com‐
mands with rsh(1). Com‐
ment out this line to
allow login by root.
PASSREQ Determines if login
requires a non-null
password.
ALTSHELL Determines if login
should set the SHELL
environment variable.
PATH Sets the initial shell
PATH variable.
SUPATH Sets the initial shell
PATH variable for root.
TIMEOUT Sets the number of sec‐
onds (between 0 and 900)
to wait before abandon‐
ing a login session.
UMASK Sets the initial shell
file creation mode mask.
See umask(1).
SYSLOG Determines whether the
syslog(3C) LOG_AUTH
facility should be used
to log all root logins
at level LOG_NOTICE and
multiple failed login
attempts atLOG_CRIT.
DISABLETIME If present, and greater
than zero, the number of
seconds that login will
wait after RETRIES
failed attempts or the
PAM framework returns
PAM_ABORT. Default is 20
seconds. Minimum is 0
seconds. No maximum is
imposed.
SLEEPTIME If present, sets the
number of seconds to
wait before the login
failure message is
printed to the screen.
This is for any login
failure other than
PAM_ABORT. Another login
attempt is allowed, pro‐
viding RETRIES has not
been reached or the PAM
framework is returned
PAM_MAXTRIES. Default is
4 seconds. Minimum is 0
seconds. Maximum is 5
seconds.
Both su(1M) and sulo‐
gin(1M) are affected by
the value of SLEEPTIME.
RETRIES Sets the number of
retries for logging in
(see pam(3PAM)). The
default is 5. The maxi‐
mum number of retries is
15. For accounts config‐
ured with automatic
locking (see SECURITY
above), the account is
locked and login exits.
If automatic locking has
not been configured,
login exits without
locking the account.
SYSLOG_FAILED_LOGINS Used to determine how
many failed login
attempts will be allowed
by the system before a
failed login message is
logged, using the sys‐
log(3C) LOG_NOTICE
facility. For example,
if the variable is set
to 0, login will log all
failed login attempts.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWcsu │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Evolving │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOcsh(1), exit(1), ksh(1), mail(1), mailx(1), newgrp(1), passwd(1),
rlogin(1), rsh(1), sh(1), shell_builtins(1), telnet(1), umask(1),
in.rlogind(1M), in.telnetd(1M), logins(1M), quota(1M), su(1M), sulo‐
gin(1M), syslogd(1M), useradd(1M), userdel(1M), pam(3PAM),
rcmd(3SOCKET), syslog(3C), ttyname(3C), auth_attr(4), exec_attr(4),
hosts.equiv(4), issue(4), logindevperm(4), loginlog(4), nologin(4),
nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4), profile(4),
shadow(4), user_attr(4), utmpx(4), wtmpx(4), attributes(5), environ(5),
pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5), pam_auth‐
tok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), termio(7I)DIAGNOSTICS
Login incorrect
The user name or the password cannot be matched.
Not on system console
Root login denied. Check the CONSOLE setting in /etc/default/login.
No directory! Logging in with home=/
The user's home directory named in the passwd(4) database cannot be
found or has the wrong permissions. Contact your system adminis‐
trator.
No shell
Cannot execute the shell named in the passwd(4) database. Contact
your system administrator.
NO LOGINS: System going down in N minutes
The machine is in the process of being shut down and logins have
been disabled.
WARNINGS
Users with a UID greater than 76695844 are not subject to password
aging, and the system does not record their last login time.
If you use the CONSOLE setting to disable root logins, you should
arrange that remote command execution by root is also disabled. See
rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for further details.
NOTES
The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
pam_dhkeys(5), and pam_passwd_auth(5).
SunOS 5.10 4 May 2011 login(1)
